Cybersecurity: Cause for optimism, need for continued vigilance

Last month, the Department of Homeland Security hosted its first-ever National Cybersecurity Summit, bringing together some of the senior-most cybersecurity officials across government including cabinet officials and the Vice President, industry CEOs, and representatives from some of the largest companies in the world. This was the first-of-its-kind event providing a forum to coordinate risk management across government and private sector. The Administration is to be applauded for their efforts, as there is a clear need for a coordinated, cross-sector, government-industry effort to protect our Nation’s critical infrastructure from the growing cybersecurity threat. Within the Federal government, DHS is tasked with leading government’s efforts to champion that coordinated, integrated approach.

These efforts are encouraging and should be welcomed, especially after a July 23, 2018, report citing Homeland Security officials stating that Russian hackers have conducted hundreds of attacks against the United Stated electrical grid. Cyber-attack and disruption has moved beyond threats to actual effects. Not only do we have to worry about our infrastructure being attacked, but we must deal with foreign actions like the Russians impacting our energy markets and infrastructure projects, spreading misinformation to prevent things from even being built, as a House Committee on Science, Space and Technology Report released last March so clearly demonstrates.

The House Committee report covered its investigation into Russian efforts to influence U.S. energy markets. The report, its footnotes, and news reports detailed how Russia channeled money to groups such as the Sea Change Foundation, which forwarded money to groups such as The Energy Foundation and the Sierra Club which in turn funded conservation and environmental organizations, all in an attempt to carry out its geopolitical agenda, particularly with respect to energy policy. The report contained examples of Russian-developed content targeting U.S. energy markets and energy policy. Quoting directly from the report, “Russian agents attempted to incite Americans to take action against pipeline efforts by promoting links and references to online petitions. Numerous tweets, for example, encouraged viewers to follow links to petitions aimed at stopping the Dakota Access, Sabal Trail, and Enbridge Line 5 pipeline (Page 8 of the above-cited report).”

Better understanding of these actions and costs, benefits and risks to government and industry are needed. The Federal Government can articulate the threat of cyber-attacks, actively protect its own systems (.gov) and advise and offer to provide limited support to state, local, territorial and tribal entities, as well as to private sector owners of critical infrastructure (the .com world). We need to build upon partnerships with the government to improve information sharing to keep up with threats.

While the cost of a massive infrastructure attack is quite high, the probability of a catastrophic attack at any given moment is low. Headlines and articles about potential attacks on our grid are great click-bait – but they ignore the fact that Russia and China (our most sophisticated adversaries and likely the only ones with the capability to harm our grid) are aware that if they shut down our electrical grid anywhere in America, our government could do the same to them in Moscow or Beijing. Just because Russia has strategies to attack us, doesn’t mean they will. It’s the same deterrent strategy that kept the world from blowing itself up during the height of the Cold War.

One aspect of an attack on our critical infrastructure that the government does need to be more in tune with is the interconnectedness and cross dependencies of our public infrastructure which ensure that the entire system is only as strong as its weakest link. Today, an attack on our financial system or natural gas pipelines may also have implications for our ability to provide Americans with electricity.

Finally, the federal government must work more closely with private industry to ensure that if they share information critical to the mitigation and prevention of attacks, proprietary information is protected and the bureaucrats and politicians do not lay blame on those businesses. Because even if that corporation could have done more to protect consumers, if the company feels that working with government exposes them to litigation or other punitive measures, they might refuse. Ultimately, this would prevent collaboration precisely when such information is needed by law enforcement and security agencies to establish attribution and build forensic and criminal cases against perpetrators.

Authorities are often left to play Cassandra prophesying doom, but only reaching deaf ears. Changing the risk-reward equation is a difficult task for government. It may require controversial protections against corporate liability, real tax incentives for investment in hardened critical systems, and tougher penalties or sanctions against those who fail to operate resilient critical infrastructure systems. Government needs to be a full participant in changing the risk-reward calculation. Hopefully the new federal funding, structures, and authorities are a step in the right direction.

NOTE: This post has been updated from the original to add context, specificity, and source links to the paragraph describing the Sea Change foundation and other environmental groups.

Gregory T. Kiley is a former senior professional staff member of the Senate Armed Services Committee and U.S. Air Force Officer.